By Mark Arena, Intel 471 and Travis Farral, Anomali

We’ve all seen the research into Fancy Bear (aka APT28, Sofacy etc) which is likely a group sponsored by or a part of the Russian government. They even have their own website. Research into these groups is predominantly reactive.

Typical process for investigating nation state malware.

You’ll note in the above process that this is all driven by malware or attack samples being obtained at the beginning. The very nature of this means that attacks are already underway or might have already been finished by the time it’s detected or blocked. Protections against future attacks from this same actor using this process may or may not bear fruit as a result.

What if instead of simply waiting for malware or attack samples, we research one of the core enablers of this type of threat activity. Would this be a better return on investment for our efforts?

Bulletproof Hosting

For those that don’t know, bulletproof hosting is one of the key enablers for cyber threat activity. The miscreants need hosting for everything they do, be it command and control server hosting or exploit kit hosting. It also takes quite a bit of time for the miscreants to setup these servers, so ideally they want hosting that isn’t taken down easily. Any time a miscreant runs a command and control server or exploit kit, their server provider will likely receive complaints and pressure from various anti-virus and security companies to take down the malicious infrastructure. Bulletproof hosting is hosting that will (or claims to) remain running even with the pressure from the antivirus and security company. Some bulletproof hosting providers even have their own data centers with prepaid government protection.

When it comes to bulletproof hosting, we are trying to achieve a position of information dominance over our adversary where these hosting networks are identified before they are used and can be blocked. At Intel 471 we refer to these as “pre-IOCs”. It’s a marketing gimmick we know but based on the fact that these aren’t indicators of compromise (IOCs) yet, we believe it’s an accurate term to describe the proactive blocking of bulletproof hosting networks. Blocking the bulletproof hosting networks proactively also means we don’t need to spend all our resources focusing on the specific threat groups or malware families themselves.

Alex

We’ll use the name Alex to describe one bulletproof hoster whom Intel 471 has tracked closely (Alex isn’t a nickname he uses). At the elite cybercriminal level there are only a few legitimate bulletproof hosting providers and Alex is one of them. In March-May 2017 we were able to link Alex’s bulletproof hosting network to the following malicious infrastructure:

Alex’s front-end proxy network from March-May 2017 consisted of around 800 different IPs across about 230 different providers. The vast majority were abusing US, China and Russian cloud hosting providers. In the beginning, the daily average size was around 100 hosts that were being rotated across his clients’ infrastructure.

Blocking Alex and all his miscreant customers

Using Intel 471’s actor-centric intelligence with Anomali Threatstream, we are able to automatically ingest, correlate and action the blocking of Alex’s bulletproof hosting network. Intel 471, in this case, is the collector of the information whilst the Threatstream platform enables the sharing of this threat information into your organization’s security infrastructure.

What’s the return on investment?

The idea behind proactively blocking bulletproof hosting is that you are blocking things before they are bad. I.e., don’t wait for your organization’s systems to be compromised with the latest exploit kit, banking trojan or ransomware whereby a costly incident response exercise is initiated. Intel 471 believes that there is truly only a dozen legitimate bulletproof hosters in the top tier or elite cybercriminal underground. The efficiency gain for simply blocking this pre-IOCs compared to the cost of not doing so is very large.

This is financially motivated cybercrime! You mentioned Fancy Bear at the start!

We did and you found us out. Alex’s cybercriminal bulletproof hosting service has been used in targeted attacks in Eastern Europe. Nation state threat actors need bulletproof hosting too.

The joint Anomali and Intel 471 offering

The joint Anomali and Intel 471 offering provides a window into the elite cybercriminal underground within the Anomali Threatstream platform. This centralized threat intelligence solution provides proactive and breaking insight into how top tier cybercriminals are targeting your organization, assets, and people. Leveraging ThreatStream’s integrations and data enrichment features with Intel 471’s intelligence and insights creates a powerful weapon against cybercriminals and other threat actors. It’s a solution that gives analysts the ability to research actors like Alex and proactively push out protections against his known infrastructure. Because Intel 471 stays on top of actors like Alex, infrastructure changes can be followed and defenses adjusted accordingly.

Anomali, Intel 471 Silver, Gold and Platinum Offerings

Anomali and Intel 471 are happy to announce that as of 1 August 2017 we are offering silver, gold and platinum Intel 471 packages so organizations of any size can take advantage of Intel 471’s actor-centric intelligence within the Anomali platform. These offerings are available exclusively through the Anomali platform and depending on the package chosen. Packages include:

Full integration of Intel 471 actor-centric intelligence within Anomali Threatstream

Firedot Highlight Reports

Getting threat intelligence into your existing security products – SIEMs, endpoints, network tools — can significantly enhance their effectiveness. Here at Anomali we understand the value of product integrations, so much so that my entire job is to manage the 30+ we currently offer. Recently we launched a feature that allows you to create your own threat […]

The intelligence in this week’s iteration discuss the following threats: Compromised server, Cryptocurrency miner, Data theft, Malspam, Phishing, Targeted attacks, Underground markets, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity. Trending Threats Olympic Destroyer Takes Aim At Winter […]

In our last post, we talked about how companies can use the concept of a No-Fly list to keep malicious actors out of their networks. So how does a cyber No-Fly list work in a real situation? We spoke with one of our customers, Alaska Airlines, about how they make the most of threat intelligence […]

My name is Teddy Powers. I have worked for Anomali (formerly ThreatStream) for almost the last three years and it’s been one of the best experiences of my life. But if you looked at my résumé or LinkedIn, much like anyone else, you’d do a double take. How in the world did he score a […]

North Korea, or more formally, the Democratic People’s Republic of North Korea (DPRK), is no stranger to international headlines. Most notably, it has captured attention in recent years for its nuclear testing and ballistic missile launches. Events in the cyber landscape have brought negative attention to North Korea as well. The United States officially blamed […]